Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / Languages / SQL
 

WCF Claims, STS and Federation – Layman’s View

4.86/5 (11 votes)
15 Dec 2010CC (ASA 2.5) 27.3K  
WCF Claims, STS and Federation – Layman’s View

Configuring Your Federation

I’m here to explain WCF claims in federated services using STS (security token service) from a layman’s perspective. I’ve started with the set of configuration you have to put in place on web.config under system.serviceModel to make your service in a federated way. Instead of a very boring textual explanation, I’m explaining it in a comic way.

This is to be declared inside <binding> -> <security> element of system.serviceModel section of web.config.

XML
<wsFederationHttpBinding>
 <binding name="wsFed">
  <security mode="Message">
   <message issuedTokenType=
     "<strong>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
     </strong>" negotiateServiceCredential="false">    
    <issuer address="<strong>http://udoozSTS/TokenService.svc</strong>" 
	binding ="wsHttpBinding"  bindingConfiguration="udoozSTSBinding" >
     
    </issuer>
   </message>
  </security>
 </binding>
</wsFederationHttpBinding>

The <issuer> is the place you have to tell where STS is hosted over which binding with appropriate binding configuration. This service expects SAML 1.1 provided by udoozSTS. Since this is expected as part of the request message, it has been declared in Message security mode.

This is has to be declared in <identity> section of <issuer>.

XML
<identity>
         <certificateReference
              findValue="WCFServerKey"
              x509FindType="FindBySubjectName"
              storeLocation="LocalMachine"
              storeName="TrustedPeople" />
</identity>

This has to be declared in <claimTypeRequirements> element under <message>.

XML
<claimTypeRequirements>
<add claimType="http://schemas.udooz.net/2010/12/identity/claims/facebookId" 
	isOptional="false"/>
 <add claimType="http://schemas.udooz.net/2010/12/identity/claims/orgName" 
	isOptional="false"/>
</claimTypeRequirements>

The whole configuration related to this is:

XML
 <bindings>
 <wsFederationHttpBinding>
  <binding name="mrservice">
   <security mode="Message">
    <message issuedTokenType=
	http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 
	negotiateServiceCredential="false">
     <claimTypeRequirements>
      <add claimType="http://schemas.udooz.net/2010/12/identity/claims/facebookId" 
	isOptional="false"/>
      <add claimType="http://schemas.udooz.net/2010/12/identity/claims/orgName" 
	isOptional="false"/>
     </claimTypeRequirements>
     <issuer address="http://udoozSTS/TokenService.svc" 
	binding ="wsHttpBinding"  bindingConfiguration="udoozSTSBinding" >
      <identity>
       <certificateReference
         findValue="WCFServerKey"
         x509FindType="FindBySubjectName"
         storeLocation="LocalMachine"
         storeName="TrustedPeople" />                 
      </identity>
     </issuer>
    </message>
   </security>
  </binding>
 </wsFederationHttpBinding>
<bindings>

The proofs are called as claims. A collection of claims about a consumer provided by an identity provider (STS) with its identity is called as ClaimSet.

The comic was developed using: .

To be continued…

License

This article, along with any associated source code and files, is licensed under The Creative Commons Attribution-ShareAlike 2.5 License



Permalink

Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Article Copyright 2010 by M Sheik Uduman Ali
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-10-19:1